Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Iphone Privacy Security Apple

With Camera Permission, iPhone Apps Can Surreptitiously Take Pictures and Videos (vice.com) 69

An anonymous reader writes: Whenever you give iPhone apps permission to access your camera, the app can surreptitiously take pictures and videos of you as long as the app is in the foreground, a security researcher warned on Wednesday. This is not a bug, but keep it in mind when a random app asks you for permission to access your camera. What this means is that even if you don't see the camera "open" in the form of an on-screen viewfinder, an app can still take photos and videos. It is unknown how many apps currently do this, but Krause created a test app as a proof-of-concept. This behavior is what enables certain "spy" apps like Stealth Cam and Easy Calc - Camera Eye to exist. But even if this behavior is well-known among iOS developers and hardcore users, it's worth remembering that all apps that have camera permission can technically take photos in this way. "It's something most people have no idea about, as they think the camera is only being used if they see the camera content or a LED is blinking," Krause told Motherboard in a chat over Twitter direct message. Krause currently works at Google, but performed and published this research independently of his work there.
This discussion has been archived. No new comments can be posted.

With Camera Permission, iPhone Apps Can Surreptitiously Take Pictures and Videos

Comments Filter:
  • by Anonymous Coward

    So the Google employee also probably knows that Android apps can do the exact same thing. And there are spy camera apps for Android too.

    Slow news day, apparently.

    • by jellomizer ( 103300 ) on Wednesday October 25, 2017 @03:18PM (#55432077)

      But the new iPhone is going to be released soon, and Google doesn't want it to take the Pixel 2 thunder.
      While in actuality. If you are an Android User you will get an Android Phone, if you are an iPhone user you will get an iPhone. But articles like this help justify your belief that your purchase was somehow superior and you are the smarter consumer because of it.

      Because in order to get people to switch to the other, you really need some major new feature that the other will not have shortly... Or the Other finds a way to really screw it up their next generation product, or fails to keep the product up to date over a long period of time.

      • My next phone will have a feature that both Android and iPhone doesn't have: no applications and no spyware.

        What's the smallest, best flip-phone? I don't even want SMS nor a camera. Just a freakin' phone to make freakin' phone calls. /Dr.Evil

        • by Desler ( 1608317 )

          Flip phones have both applications and cameras.

        • Translation: I hate all new technology, so I post on technology websites.

          • Translation: all the new technology is being used to spy on us, tracks everything we do and my profile is being sold to thousands of companies for profits, so I'm falling back to older technology where these assholes can't reach me.

        • by nasch ( 598556 )

          I don't think there is such a thing as a cell phone that doesn't do SMS so you're stuck there. I'm not sure if anyone makes a phone that doesn't have additional apps either. If it's less than ten years old you're probably going to have a calendar, calculator, address book, and maybe music, navigation and a game or two.

  • by Anonymous Coward

    I thought everyone knew this.
    Oh, it's a vice article. Never mind.

  • by rsilvergun ( 571051 ) on Wednesday October 25, 2017 @03:14PM (#55432057)
    Give an app permission to use your camera and it can use your camera. Who knew? Also, how slow a news day does it have to be to greenlight something like this?
    • by jellomizer ( 103300 ) on Wednesday October 25, 2017 @03:20PM (#55432101)

      But we need a reason to hate Apple Products. Otherwise our decision to pick Android Products will seem less important. And buying something that isn't the best deal, is the most mortal sin that an internet user can do today.

    • Give an app permission to use your camera and it can use your camera. Who knew?

      Yeah. This is a d'oh story. Same thing goes for Android.

      The problem comes when sloppy or malicious programmers write code that wants too many permissions. I am using Mobisytems OfficeSuite and every time I try to look at a document I get the really scary warning that "this app will not work properly" unless Google Play is given permission to access my phone, camera, and occasionally a couple of other things. Sorry? You don't need to access my camera so I can read a document, and it ISN'T A PHONE. Oh, "body

      • by tepples ( 727027 )

        Same thing for the United Airlines app. It demands "camera". Why?

        I haven't flown in decades, but my first guess involves using the device's rear-facing camera to scan 2D barcodes printed on boarding passes and the like.

        • I haven't flown in decades, but my first guess involves using the device's rear-facing camera to scan 2D barcodes printed on boarding passes and the like.

          It's the United app. They know what boarding passes I have, and my tablet is not used to scan my boarding pass either for TSA or when I get on the plane. There are dedicated scanners at those check points.

          And no, displaying a QR code on a phone or tablet to be scanned by one of those devices does not require "camera" permissions on the display device.

          No valid purpose.

      • Same thing for the United Airlines app. It demands "camera". Why? So you can get pictures of me being dragged off the airplane without me knowing about it?

        If I had to guess: for taking snaps of QR codes of tickets or boarding passes displayed on a kiosk or home computer.

        Do you know what I've love to see? When developer submit apps to the store, they are also required to submit a single line for each requested permission which explains WHY they are requesting that permission. What feature requires this? The user could then just tap on a permission to see what it's being used for, and decide whether or not it's a feature they care about.

        At the very least, yo

    • Nerds knew. But that's kind of the point of the summary, the general thought that has been embedded in smartphone users via rote learning is that camera only does something when it's showing on your screen or flashing an LED.

  • A security researcher was needed to know that if you give something camera access that it can use your camera to take pictures and video? Isn’t that the whole point of allowing an app access to the camera? What else did they think the permission granted?

  • 99.99% of people don't give a shit.
    • by Desler ( 1608317 )

      Why would they? The whole point of allowing the permission is to allow apps to use your camera.

      • Probably more of the point of it is if that "Destiny 2 super companion app" asks you for permission to use your camera and microphone, tell it to F off, as there should be no reason for it to have access to those.

        • tell it to F off, as there should be no reason for it to have access to those.

          And then some apps will tell you to F off, they aren't going to run. I have a Galaxy Tab, and the "Galaxy Apps" demands access to "phone" and "contacts". It has no need to know my contacts, and it isn't a phone so it doesn't need 'phone'. If I don't give it those permissions, it just closes.

          I have no idea what services "galaxy apps" would provide to me because of that. If Samsung is trying to differentiate its product by giving me wonderful free apps that do great things, then it should know it is accompl

        • if that "Destiny 2 super companion app" asks you for permission to use your camera and microphone, tell it to F off, as there should be no reason for it to have access to those.

          I don't know about that. Does Destiny 2 expose an API for companion apps that allows syncing a companion app to a player's account by photographing a 2D barcode displayed on the screen?

          • by nasch ( 598556 )

            If it does, the app permission dialog should clearly explain that, and then if the permission is refused the other features of the app should continue to work normally.

            • by tepples ( 727027 )

              if the permission [to photograph a barcode representing a user account] is refused the other features of the app should continue to work normally.

              What would the companion app do without being logged in? If the user refuses the means by which the user logs in, how are the "other features of the app" supposed to authenticate in order to "continue to work normally"? Or would you prefer to require players to key in a 32-digit UUID displayed on the screen?

              • by nasch ( 598556 )

                IIRC from when I used the Destiny app, display news and general information about the game.

  • That's the business model. As Bruce Schneier says [schneier.com] it's a "Surveillance Business Model". That's the "deal". They give you a set of crappy applications for free, you ignore the fact that they can and will spy on you the maximum degree they think they can get away with (and beyond if they think they can hide their activities from you). OF COURSE these apps are gonna take your picture without you knowing. If they thought they could hold pictures of you fucking your wife for ransom, they'd do that too. If they c
  • I don't need those permissions active all the time. Plus there's bugs and hacks.

  • Whenever you give iPhone apps permission to access your camera, the app can surreptitiously take pictures and videos of you

    Wow, really? Whoever would have guessed?

    but performed and published this research

    This is hardy research. I certainly hope it isn't the epitome of this secury researcher's career.

  • The "researcher" is Felix Krause, who works for Google. His previous revelation was that apps could create input dialogs that look like password entry screens. He neglected to mention that Android phones have the same "flaws".
  • No shit, Sherlock? (Score:4, Insightful)

    by nospam007 ( 722110 ) * on Wednesday October 25, 2017 @03:52PM (#55432327)

    "Whenever you give iPhone apps permission to access your camera, the app can surreptitiously take pictures and videos "

    I'm flabbergasted, next you'll tell us if I give them permission to use the microphone, they can listen to us.

    • Perhaps the intent is that "foreground microphone" and "background microphone" ought to be split into separate permissions, as ought "foreground camera" and "background camera".

    • In their defense, one issue you might run into would be a one-time-use thing.

      For example, iTunes wants to use your camera so that it can read your iTunes card and update your balance. Which is a good thing. And when it asks if it can use your camera, it says that it only wants to do it so that it can read your iTunes card.

      But what's to say it isn't doing it for other purposes? It certainly can because I said, "Yeah, okay, iTunes can use the camera."

      Now, I don't remember if there's a "Ask Each Time" opti

  • by King_TJ ( 85913 ) on Wednesday October 25, 2017 @06:13PM (#55433283) Journal

    I think it's still a really valid question.... Why aren't these phones designed so an indicator light on them has to be lit if the camera is in use by something? Wire that up in the hardware so it's not a light you can bypass via clever software coding.

    Even if you don't care a bit about some app trying to sneakily take pictures or video while you have it running in the background, that impacts your battery life so you'd want to know about it just for that reason.

    Just because I grant an app permission to use the camera doesn't mean I'm ok with it trying to mis-use the camera input for other purposes than its stated function it performs while in the foreground.

    • Hardware real-estate is precious. You could use a multi-color notification light, but I already have trouble remembering which color means what.

      Instead, just use a notification icon. Android supports screenshotting through 3rd-party apps, but will show an icon whenever a screenshot is being taken. The same could be done for the camera and microphone. Although the microphone may be troublesome in the case of always-on "ok google" detection.

Whenever a system becomes completely defined, some damn fool discovers something which either abolishes the system or expands it beyond recognition.

Working...